GameOver Zeus gang boss also engaged in cyber espionage

Cyber crooks and cyber spies are often two distinct categories of attackers, but not always. Years-long research by the FBI, Fox-IT and Crowdstrike revealed that, at least in one situation, hackers who were after money were also after secrets.

The GameOver Zeus (GOZ) group has been around for at least five years. Until the highly publicized international law enforcement action against their botnet which, at that time, was being used to deliver ransomware, the group had already amassed millions by infecting users with a custom version of the infamous Zeus banking malware.

The group, which considers itself to be a “business club,” consists of over 50 individuals scattered throughout the Russian Federation (tech support, mule recruiters, suppliers, etc). The core team – the fraudsters – is six people, two of which are the leaders.

We known the name of one of the leaders: Evgeniy Bogachev (aka “Slavik”), the author of Zeus. He was indicted in the US nearly three years ago, but he still hasn’t been arrested, despite the fact that the FBI has offered a reward of up to $3 million for information leading to his arrest.

The researchers believe that one of the reasons Slavik hasn’t yet been caught is that he is protected by “friends in high places” in Russia, whom he helps by performing political espionage.

You see, the GOZ botnet actually consisted, at various times, of up to 27 different botnets, managed by a different person or group. Most of them were used to perpetrate banking fraud, which netted the operators an estimated $100 million over the years, but some specific botnets were used for espionage.

“One instance focused on Georgia and Turkey, the botnets contained a number of commands issued to specifically these countries, with queries which were very detailed, including searches for documents with certain levels of government secret classifications, and for specific government intelligence agency employees, and information about politically sensitive issues in that region,” Michael Sandee, Principal Security Expert at Fox-IT, explained in the report that he shared with the crowd at Black Hat USA 2015.

In other instances, the targets were OPEC members, and after the recent political changes in Ukraine, machines in Ukraine were infected and searched for certain types of politically sensitive information.

“It is quite likely that Slavik, who had set up and enjoyed full access to these specific Zeus command and control servers, was involved in more than just the crime ring around peer-to-peer Zeus,” Sandee pointed out.

“We could speculate that due to this part of his work he had obtained a level of protection, and was able to get away with certain crimes as long as they were not committed against Russia.”

“The maturity of how they evolved could have been an example out of a Harvard business book,” commented Andy Chandler, SVP at Fox-IT.